/Snort3Converter

This is a first foray into developing a tool to allow fast an easy conversion of custom rules from SURRICATA to SNORT 3 currently.

Primary LanguagePythonMIT LicenseMIT

Snort3Converter

A project for converting IDS/IPS/NGFW rules into Snort 3 rules.

License:MIT License

Basic Commands

Running The Converter

  • Usage

    usage: snort3convert.py [-h] [--source_rule_type SOURCE_RULE_TYPE] [--output_rule_type OUTPUT_RULE_TYPE] [--SID SID] input_file output_file
    
    Program Accepts Selected rule input and converts to selected output rule type.
    
    positional arguments:
      input_file            Full path to Source File
      output_file           Full path for Output File
    
    optional arguments:
      -h, --help            show this help message and exit
      --source_rule_type SOURCE_RULE_TYPE
                            Source Rule OPTIONS: Suricata
      --output_rule_type OUTPUT_RULE_TYPE
                            Output Rule OPTIONS: Snort3
      --SID SID             Starting SID value for Snort rules
  • To run the tool via python (installed via pip)

    $  pip install snort3_conv_tools
    $  python -m snort3_conv_tools.snort3convert testsuricatainputrules.txt snort3rules.txt --SID 1000010 --source_rule_type SURICATA --output_rule_type SNORT
  • To run the tool via windows executeable (from release page)

    $ snort3convert.exe suricatarules.txt snort3rules.txt --SID 1000010 --source_rule_type SURICATA --output_rule_type SNORT3

For convenience you can use the defaults

  • To run the short form of the above python command using defaults

    $ python snort3convert.py suricatarules.txt snort3rules.txt
  • To run the short form of the above windows command using defaults

    $ snort3convert.exe suricatarules.txt snort3rules.txt

TESTED Supported Suricata Functions:

This tool has currently been tested on the following features:

Surricata Function Support Summary
Feature Support Status
URL supported
SSH supported
PCRE supported
User-Agent supported

Get Developing!

If you wish to contribute to expand support or simply hack away then please do!

Checkout the code:

git clone https://github.com/Cisconate/Snort3Converter

Install Dependencies:

cd dev
pip install requirements/dev.txt

To Generate the Docs

Install Dev Dependencies then:

cd docs
make

To Run the Tests

Quick and Dirty:

$ cd src/
$ python -m pytest ../tests
or
$ python -m pytest ../tests --log-cli-level DEBUG -s

The Right Way:

$ tox

We use tox. It builds virtual environments defined in tox.ini for different versions of python, then builds the installable package, then installs it, then runs the tests. It does this for all the versions you have defined and is suitable for continuous integration.

It is intentional that you cannot run a normal pytest command without PYTHONPATH tomfoolery or calling pytest in the manner we show above for Quick and Dirty. By not being importable it prevents a whole class of testing problems related to accidentally getting your local dev code instead of what is installed by the package. It also forces you in general to test installed code instead of dev code, making sure that your packaging is correct also

Frequently Asked Questions

  1. Why this directory structure?
    https://blog.ionelmc.ro/2014/05/25/python-packaging/#the-structure